We are pleased to announce the release of phpBB 3.1.11 "Bertie's Cassini hitchhike". This version is a maintenance & security release of the 3.1.x branch which fixes three security issues, as well as adding more hardening and fixes for various bugs reported in previous versions.
A server-side request forgery (SSRF) exploit was discovered in the remote avatar functionality which could be used to perform service discovery on internal and external networks as well as retrieve images which are usually restricted to local access (thanks to SEC Consult for the report). Additionally, a cross-site scripting vulnerability via version check files was discovered internally (thanks Derk Ruitenbeek). This could have been used to trick users into clicking on javascript: links. The third fixed issue concerned potential high load scenarios that could be caused by specially crafted search queries while using MySQL fulltext search.Please note that this is the last maintenance release for phpBB 3.1 as it has now reached end of maintenance (EOM). It will continue to receive security updates until December 2017.

The bugfixes address issues with duplicate entries for migrations that could result in extensions not properly installing or uninstalling, an invalid definition in an SQL query that prevents ordering of PMs, as well as issues with updating from earlier versions using PostgreSQL.
Notable changes are pagination for IP tables and post info and added search indexing for topics after splitting a topic. The version check now also supports branches which will result in more helpful information about new versions on other branches.